The sponsor for the test days should have administrator-level access to an AWS account for test days. All of the commands in this section can be performed by an IAM user with administrative privileges such as the one created in the [[User:gholms/IAM Primer|IAM Primer]] instead of account-level credentials.

The sponsor for the test days should have administrator-level access to an AWS account for test days. All of the commands in this section can be performed by an IAM user with administrative privileges such as the one created in the [[User:gholms/IAM Primer|IAM Primer]] instead of account-level credentials.

−

−

{{admon/important|This tutorial requires euca2ools 2|Most of commands in the sponsor's section of this tutorial require version 2 or later of the euca2ools command line suite. A pre-release of version 2.0 is available from http://repos.fedorapeople.org/repos/gholms/cloud/.}}

{{admon/note|This tutorial does ''not'' require euca2ools 2|While the instructions for the sponsor in this tutorial require an un-released version of euca2ools, the instructions for sponsored users do not. Either a euca2ools 2 pre-release or euca2ools 1.3.1 from the Fedora or EPEL repositories will work.}}

=== Get Your Sponsored User Details ===

=== Get Your Sponsored User Details ===

Latest revision as of 18:30, 10 September 2013

This document describes how to employ Amazon Identity and Access Management (IAM) to create users that people can use to test Amazon Elastic Compute Cloud (EC2) images for limited periods of time such as test days. It assumes that you have read and understood the EC2 Primer, and, if you are the sponsor for the event, the IAM Primer. It also assumes that the sponsor has administrative access to an Amazon Web Services (AWS) account that is dedicated to sponsoring people for test days and that people will not need to manipulate security groups or firewall rules.

The sponsor for the test days should have administrator-level access to an AWS account for test days. All of the commands in this section can be performed by an IAM user with administrative privileges such as the one created in the IAM Primer instead of account-level credentials.

Since the goal of a EC2 test day is to test a Fedora image that has already been registered in EC2, sponsored users can run instances in a permissive default security group that allows all traffic from the Internet. You can make that security group allow all traffic with euca-authorize:

Sponsored users who wish to use AWS's web console to manage their instances need to use an account-specific URL. To make that URL include a human-readable name instead of a long account number you can create an account alias:

Create a group for the specific test day. This is the group that will use to manage permissions for every sponsored user.

$ euare-groupcreate -g test-day-20111020

Then add a time-limited policy to the group that allows its members to perform the relevant functions in EC2. A policy that seems to work appears below. Be sure to adjust its time constraints accordingly.

Next, create the users that people will use for testing. Store their credentials in a directory so you can hand them out to people individually during the test day. (Or beforehand, since the policy is time-limited.)

If you want test day users to be able to use the online web console to manage their instances, create login profiles for them as well:

$ euare-useraddloginprofile -u tester01 -p SeekritPassword

Repeat this for each user.

When sending this information to sponsored people, include the access key ID and secret access key included inside the file credentials/testerN. If you also created login profiles for them, also send the appropriate user name (e.g. tester01) and password. They will be able to log into the AWS Console by going to https://your_AWS_Account_ID.signin.aws.amazon.com/console/. If you created an account alias, you can use that alias in place of the numeric account ID.

When you use a sponsored user for an EC2 test day the sponsor will send you a access key ID and a secret access key that the euca2ools command line suite will use to access EC2 during the test day. To test Fedora EC2 images, follow along with the Getting Started with Fedora on EC2 section of the EC2 Primer, using the credentials you received in place of those that the guide asks you to fetch from Amazon's website. With these credentials you do not need to create your own AWS account.

Please be sure to clean up when you finish by deleting any keypairs you created and terminating any instances you started. EC2's access controls are not yet fine enough to prevent you from terminating other people's instances, so please be careful when doing so.

If the sponsor also sent you a username and password, you can use those to log into the AWS Console on the web instead of using command line tools. Ask your sponsor for the web address to which you should go to log in.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, and JBoss are trademarks or registered trademarks of
Red Hat, Inc. or its subsidiaries in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
The Fedora Project is maintained and driven by the community and sponsored by Red Hat. This is a community
maintained site. Red Hat is not responsible for content.